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(57) A method of manipulating and obtaining access 
to graphical desktop objects is disclosed. Touch-sensi- 
tive fields are provided on a computer display for user 
selection. Upon selecting one of the fields with a finger- 
tip, a fingerprint therefrom is analyzed and compared to 
a list of authorized fingerprints. Once the fingerprint 
passes inspection, the user is granted access to the un- 
derlying program. 
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This invention relates in general to graphical user 
interfaces, and in particular to the use of fingerprint 
recognition with touch screens to manipulate graphi- 
cal desktop objects and to access the underlying 
data. 

Modern computer systems are becoming more 
user-friendly through the use of graphical user inter- 
faces. Such interfaces provide a more intuitive meth- 
od for an operator to use the programs thereon. For 
example, an operator may invoke a program by the 
selection of a graphical object or icon rather than by 
typing in a program command. Thus, the operator 
does not need to remember program commands 
which are frequently non-intuitive and are generally 
considered unfriendly. 

As computers are more and more widely accept- 
ed, more information, including sensitive or classified 
information, is placed on computers. As is well known, 
there are many people who pride themselves in the 
ability to "break" into computer systems to access 
data. There are many different ways to attempt to pre- 
vent unauthorized personnel from obtaining data on 
a computer. Passwords are commonly used for such 
a purpose. For example, an operator is required to 
type in a predetermined code word or sequence of 
keystrokes before access is granted. If the password 
is approved, the operator is then allowed to obtain the 
data and/or run programs as desired. Unfortunately, 
as noted above, there are many personnel who pride 
themselves in being able to break code words or 
passwords and obtain unauthorized entry into com- 
puter systems. 

In addition to the use of passwords, other entry 
authorization techniques include the use of identifica- 
tion cards (US Patent No. 4,599,509, July 8, 1986, to 
Silverman, et at.) and encryption devices (US Patent 
No. 4,691,355, September 1, 1987, to Wirstrom, et 
al.). 

Whenever a plurality of personnel have access to 
a single input device, there is a possibility that unau- 
thorized access may be allowed. For example, an op- 
erator will typically initialize the terminal at the begin- 
ning of the day and sign on with the appropriate pass- 
word. Thus, access will be granted to any programs 
to which that operator is allowed by anyone who 
would use that terminal. If the operator is absent from 
the terminal, any person authorized or unauthorized 
would be able to obtain data therefrom. Thus, there 
is a need for a method and apparatus which will allow 
a computer system to grant access to individual 
files/programs on an as-authorized basis only. 

Further in the desire to create a more user- 
friendly system, touch screen technology enables di- 
rect object selection by a user's fingers contacting a 
touch screen surface directly over a graphical object. 
In addition, there are known devices which can com- 
pare a live fingerprint against a referenced print. 
Thus, while there are fingerprint recognition devices, 



there is no presently known method and apparatus al- 
lowing access to computer systems and individual 
programs thereon by fingerprint recognition on touch 
screens. 

5 The present invention provides a method and ap- 

paratus for obtaining access to a computer system 
which eliminates or substantially reduces the prob- 
lems of the prior art. The present invention allows a 
computer system, with multiple operators through 
10 single input devices, to grant access to individual 
files/programs on an as-authorized basis only. 

In accordance with one aspect of the present in- 
vention, a method of obtaining access to a computer 
system is provided. A recognition device is linked to 
15 the system. Access to the system is then based upon 
an acceptable response provided by a user to the rec- 
ognition device. 

In one embodiment, the recognition device com- 
prises a fingerprint recognition device. By touching a 
20 screen directly over a graphical object, a user may be 
granted access to the program identified thereby only 
if there is a match with a file of authorized prints. If 
no match occurs, access to that program is denied. 
Thus, multiple users of a single terminal can obtain in- 
25 formation only from programs to which they are au- 
thorized access. 

It is a technical advantage of the present inven- 
tion in that multiple users of a single terminal will be 
allowed to access only the data they are authorized. 
30 It is a further technical advantage of the present in- 
vention that access can be granted to multiple levels 
of information, if authorized, without the need for mul- 
tiple passwords. 

For a more complete understanding of the pres- 
35 ent invention and the advantages thereof, reference 
is now made to the Detailed Description taken in con- 
junction with the attached Drawings, in which: 

Figure 1 is a graphical representation of a data 
processing system in accordance with the pres- 
to ent invention; 

Figure 2 illustrates a password entry to gain ac- 
cess to a computer system in accordance with 
the prior art; 

Figure 3 illustrates an embodiment of the present 
45 invention; 

Figure 4 is a diagram illustrating the interrelation- 
ship of the various components used in conjunc- 
tion with the present invention; and 
Figure 5 is a flowchart of the present invention. 
so Referring first to Figure 1, there is depicted a 

graphical representation of a data processing system 
8 which may be utilized to implement the present in- 
vention. As may be seen, data processing system 8 
may include a plurality of networks, such as Local 
55 Area Networks (LAN) 10 and 32, each of which pre- 
ferably includes a plurality of individual computers 12 
and 30, respectively. Of course, those skilled in the 
art will appreciate that a plurality of Intelligent Work- 
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stations (IWS) coupled to a host processor may be 
utilized for each such network. As is common in such 
data processing systems, each individual computer 
may be coupled to a storage device 14 and/or a prin- 
ter/output device 16. 

The data processing system 8 may also include 
multiple mainframe computers, such as mainframe 
computer 18, which may be preferably coupled to LAN 
10 by means of communications link 22. The main- 
frame computer 18 may also be coupled to a storage 
device 20 which may serve as remote storage for LAN 
10. Similarly, LAN 10 may be coupled via communi- 
cations link 24 through a subsystem control 
unit/communications controller 26 and communica- 
tions link 34 to a gateway server 28. Gateway server 
28 is preferably an individual computer or IWS which 
serves to link LAN 32 to LAN 10. 

With respect to LAN 32 and LAN 10, a plurality of 
documents or resource objects may be stored within 
storage device 20 and controlled by mainframe com- 
puter 18, as resource manager or library service for 
the resource objects thus stored. Of course, those 
skilled in the art will appreciate that mainframe com- 
puter 18 may be located a great geographic distance 
from LAN 10 and similarly, LAN 10 may be located a 
substantial distance from LAN 32. For example, LAN 
32 may be located in California while LAN 1 0 may be 
located within Texas and mainframe computer 1 8 may 
be located in New York. 

Referring next to Figure 2, a monitor 40 and key- 
board 42 such as found with individual computers 12 
and 30 (see Fig. 1) are illustrated. As shown on screen 
44 of the monitor 40, a required "Enter Password" as 
indicated by reference numeral 46 is displayed. In or- 
der to gain access to the data accessible through the 
monitor 40, an operator must type, using keyboard 
42, the authorized password in the space provided on 
the screen 44. As used herein, an "operator" is de- 
fined as a person who uses a computer program in- 
stalled on a computer system. The term "user" may be 
used interchangeably herein to mean the same as an 
"operator". Once the proper password is typed, en- 
tered and accepted, the operator typically has access 
to any information available thereby. Thus, if the op- 
erator leaves the monitor 40 unattended without ap- 
propriately securing same, an unauthorized person 
may obtain access to data therethrough. 

Referring to Figure 3, a monitor 50 and keyboard 
52 such as are used with the individual computers 12 
and 30 (see Fig. 1) are illustrated. In contrast with the 
prior art, the present invention does not provide ac- 
cess to all data available through the monitor 50 just 
by entering a single (or even multiple levels) of code 
words. Once the computer system to which the mon- 
itor 50 and 52 has been activated, touch screen fields 
(which may include text or graphics) are presented to 
the operator. For example, a touch screen field 54 is 
provided for access to confidential files, a touch 



screen field 56 is provided for access to secret files 
and a touch screen field 58 is provided for access to 
unclassified files, in addition, touch screen fields 60, 
62, 64, 66 and 68 may be provided for access to pro- 

5 grams/data A, B, C, D and E, respectively. In order to 
gain access to any of the data or programs indicated 
by one of the touch screen fields 54, 56, 58, 60, 62, 
64, 66 or 68 an operator must place their fingertip 
thereon. At that point, a fingerprint recognition device 

w interconnected to the monitor 50 will check for autho- 
rized access. If the operator is authorized access to 
that data/program, the data/program will be present- 
ed to the operator. Any single operator may be autho- 
rized access to one or more of the programs/files pre- 

15 sented on the monitor 50. Similarly, all operators in a 
department/group may access data/programs 
through the monitor 50 only if they are authorized for 
the specific information they are attempting to gain 
access to. By using the present invention, the unat- 

20 tended monitor 50 has a reduced likelihood of being 
used to compromise data by personnel not authorized 
access thereto. Also, use of a time delay may keep 
unattended access to a specific program (already 
opened) to a minimum. 

25 Referring to Figure 4, a graphical illustration of 

the interrelationship of components necessary to util- 
ize the present invention is illustrated. A multi- point, 
touch-sensitive surface 70 which detects contact at 
given points is provided with the monitor 50 (see Fig. 

30 3). An analog-digital converter 72 to pass data about 
contacts is positioned between the touch-sensitive 
surface 70 and a touch driver 74. From the touch driv- 
er 74, a dual path is taken to an access grantor 76. In 
a first path, a graphical user interface 78 indicates 

35 which icon has been selected. Information about the 
selected icon is then passed to an application 80 for 
processing. In a second path, the touch driver 74 
communicates with a fingerprint analyzer 82. A fin- 
gerprint image is communicated to the analyzer 82 in 

40 a form appropriate to distinguish a unique fingerprint, 
as is known in the art Once an operator touches a 
field or an icon, a fingerprint template is compared to 
an associated "per-icon" access table found in the ac- 
cess grantor 76. Upon the templates meeting a spe- 

45 cified confidence level, manipulation access is grant- 
ed through an operating system 84 and access meth- 
od 86. The appropriate program/data is then obtained 
from nonvolatile storage 88 which allows the operator 
to proceed. 

so Referring to Figure 5, a flowchart illustrating the 

present invention is provided. The present invention 
starts at 100 and waits for user interaction at block 
1 02. At decision block 1 04 it is determined whether or 
not an "End Program" is detected. If the response to 

55 decision block 1 04 is yes, the present invention ends 
at 106. If the response to decision block 104 is no, the 
operating system is queried for selected object iden- 
tification at block 108. 
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At decision block 110 it is then determined wheth- 
er or not the object ID requires fingerprint authentica- 
tion or not. If the response to decision block 110 is no, 
the program associated with the selected object is in- 
voked at block 112 which is an unlimited capability fol- 5 
lowed by a return to block 102 to wait for user inter- 
action. If the response to decision block 110 is yes, an 
image is obtained from the touch driver at block 114. 

At decision block 116 it is determined whether or 
not the image meets the recognition threshold. If the 10 
response to decision block 116 is no, an error mes- 
sage is returned to the user at block 118 followed by 
a return to block 1 02. If the response to decision block 
116 is yes, it is determined at decision block 120 
whether or not an image match is found within the ac~ 15 
cess table domain. If the response to decision block 
120 is no, an error message is returned to the user 
at block 118 followed by a return to block 102. If the 
response to decision block 1 20 is yes, it is determined 
at decision block 122 whether or not the access table 20 
contains a recognized user and selected object 
match. If the response to decision block 122 is no, an 
error message is returned to the user at block 118 fol- 
lowed by return to block 102. If the response to deci- 
sion block 122 is yes, it is determined at decision 25 
block 124 whether or not the access table contains 
application usage restrictions for this user. If re- 
sponse to decision block 124 is yes, programs asso- 
ciated with the selected object (a limited capability) 
are invoked at block 1 26 followed by a return to block so 
102. If the response to decision block 124 is no, the 
program associated with the selected object is in- 
voked at decision block 112 followed by a return to 
block 102. 

As a result of the present invention, security of a 35 
terminal and the programs accessed thereby is great- 
ly enhanced. To access data available through the 
terminal, a user must be authorized access and must 
in fact be the authorized user as evidenced by a fin- 
gerprint Once a terminal is initiated, a user may leave 40 
the terminal unattended with reduced fear of unau- 
thorized access to sensitive information. Even if the 
user leaves the terminal with a sensitive program run- 
ning thereon, an unauthorized user would be unable 
to access other data. By including a timer, unattended 45 
access by unauthorized personnel will be cut even 
further. 

Claims so 

1. A met hod of obtaining access to a computer sys- 
tem, comprising the steps of: 
linking a recognition device to the system; and 
allowing access to the system based upon an ao 55 
ceptable response provided by a user to said rec- 
ognition device. 



2. The method of Claim 1 , wherein said step of link- 
ing comprises: 

installing a fingerprint recognition device. 

3. The method of Claim 1, further comprising the 
step of: 

locking the system after a predetermined amount 
of time has lapsed without any user interaction. 

4. A method of manipulating data availability on a 
computer system, comprising the steps of: 
selecting a touch screen field displayed on the 
system with a user's fingertip; 

comparing a fingerprint from said fingertip with 
an access table containing representations of fin- 
gerprints authorized access to said field; and 
granting access if said fingerprint matches one of 
said fingerprints authorized access. 

5. The method of Claim 4, wherein said step of se- 
lecting a field comprises: 

selecting a graphical object. 

6. The method of Claim 4, wherein said step of se- 
lecting a field comprises: 

selecting a textual field. 

7. A device for granting access to a computer sys- 
tem, comprising: 

means for linking a recognition device to the sys- 
tem; and 

means for allowing access to the system based 
upon an acceptable response provided by a user 
to said recognition device. 

8. The device of Claim 7, wherein said means for 
linking comprises: 

a fingerprint recognition device; 
an analog-digital converter; and 
a touch driver. 

9. The device of Claim 7, wherein said means for al- 
lowing access comprises: 

means for indicating a selected data field; and 
means for comparing a user response to an ac- 
ceptable response for said data field. 

1 0. The device of Claim 9, wherein said means for in- 
dicating a selected data field comprises: 

a graphical user interface; and 
an application. 

11. The device of Claim 10, wherein said means for 
comparing comprises: 

a fingerprint analyzer; and 
an access grantor. 
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